Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Application Security and Development Security Technical Implementation Guide
SRG-APP-000251
The application must protect from command injection.
The application must protect from command injection.
An XCCDF Rule
Details
Profiles
Prose
The application must protect from command injection.
High Severity
<VulnDiscussion>A command injection attack is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. The result is the ability of an attacker to execute OS commands via the application. A command injection allows an attacker to execute their own commands with the same privileges as the application executing. The following is an example of a URL based command injection attack. Before alteration: http://sitename/cgi-bin/userData.pl?doc=user1.txt Example URL modified: http://sitename/cgi-bin/userData.pl?doc=/bin/ls| The result is the execution of the command “/bin/ls” which could allow the attacker to list contents of the directory via the browser. The following is a list of functions vulnerable to command injection sorted according to language. Language Functions/Characters - C/C++ - system(), popen(), execlp(), execvp(), ShellExecute(), ShellExecuteEx(), _wsystem() - Perl - system, exec, `,open, |, eval, /e - Python - exec, eval, os.system, os.popen, execfile, input, compile - Java - Class.forName(), Class.newInstance(), Runtime.exec()</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>